Microsoft released a security hardening tool for IIS dubbed "UrlScan" allowing server admin to set various security lockdown measures including the ability to restrict the size of a user's request. With "Urlscan" not only can we set request size restrictions (blocking an attackers attempt to thwart IIS's logging capabilities), but we can also log the entire request string sent by the attacker for further analysis. To start, first download "UrlScan" software and configure it to block long requests. Blocking long requests ensures that the request never reaches the target application, which thwarts an attacker's attempt to mask the attack against a specific application.
Installation Steps:
1. After downloading Setup.exe from Microsoft's site, double-click it.
2. If, after carefully reviewing the End User License Agreement, you agree to the installation of UrlScan, click "Yes."
3. When you see a pop-up box stating, "UrlScan has been successfully installed", installation is complete. Two files (UrlScan.ini and UrlScan.dll) will be installed under %windir%\system32\inetsrv\urlscan, which is usually under C:\WINNT\system32\inetsrv\urlscan on a Windows 2000 server.
Configuration Steps:
1. Go to the directory created by UrlScan (as stated above) and open the UrlScan.ini file.
2. The default setting "MaxQueryString=2048" is an acceptable default that will prevent query strings longer than 2,048 characters from being passed to the application.
3. Configure any other options you may need. In URLScan 2.5, Microsoft introduced the "LogLongUrls" option that allows logging up to 128k of a request. This option can be enabled in UrlScan.ini by changing "LogLongUrls=0" to "LogLongUrls=1". By setting this option, you can log any attempts by an attacker who is trying to exploit this issue.
You must restart IIS for this change to take effect. Conclusions Microsoft's URLScan is a very useful tool that every IIS administrator should take the time to investigate. This document outlines steps to harden your system against a specific threat. Documentation on how to enable length restrictions on request header data can be found at the URLScan homepage . Readers of this document are encouraged to explore other configuration options in URLScan to further lock down their machine. Microsoft confirms that this behavior works as designed. Previous versions of IIS (version 4.0 and below) were not tested for this vulnerability and may also be affected.
Home
Contact Us
